US8925080B2 - Deception-based network security using false positive responses to unauthorized access requests - Google Patents

Deception-based network security using false positive responses to unauthorized access requests Download PDF

Info

Publication number
US8925080B2
US8925080B2 US13/331,972 US201113331972A US8925080B2 US 8925080 B2 US8925080 B2 US 8925080B2 US 201113331972 A US201113331972 A US 201113331972A US 8925080 B2 US8925080 B2 US 8925080B2
Authority
US
United States
Prior art keywords
access request
unauthorized
port
application
application server
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active, expires
Application number
US13/331,972
Other versions
US20130160079A1 (en
Inventor
Cedric Hebert
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
SAP SE
Original Assignee
SAP SE
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by SAP SE filed Critical SAP SE
Priority to US13/331,972 priority Critical patent/US8925080B2/en
Priority to EP12008286.2A priority patent/EP2608481B1/en
Priority to CN201210557173.4A priority patent/CN103179106B/en
Assigned to SAP AG reassignment SAP AG ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: HEBERT, CEDRIC
Publication of US20130160079A1 publication Critical patent/US20130160079A1/en
Assigned to SAP SE reassignment SAP SE CHANGE OF NAME (SEE DOCUMENT FOR DETAILS). Assignors: SAP AG
Application granted granted Critical
Publication of US8925080B2 publication Critical patent/US8925080B2/en
Active legal-status Critical Current
Adjusted expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1491Countermeasures against malicious traffic using deception as countermeasure, e.g. honeypots, honeynets, decoys or entrapment
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/145Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms

Definitions

  • This description relates to computer security.
  • Malicious and other illegitimate potential users of network computing resources may attempt to gain unauthorized access to such computing resources, using a variety of techniques.
  • unauthorized users sometimes referred to as hackers
  • hackers may attempt to gain access to data or other resources which have been made available on the network in a manner intended to provide secure, confidential access to a limited set of authorized users.
  • companies may provide public websites designed to interact with customers and potential customers, and hackers may attempt to modify such websites in undesired manners, and/or to modify or otherwise access confidential data used to support functionality of related websites.
  • current trends in network usage include greater usage of web-based/cloud-based applications, including the use of network-based data storage. Consequently, such trends provide increased high-value targets for hackers and other unauthorized users.
  • a computer system may include instructions recorded on a computer-readable storage medium and readable by at least one processor.
  • the system may include a request handler configured to cause the at least one processor to receive an access request for access to application server resources of an application server and to determine that the access request is unauthorized, and a response manager configured to cause the at least one processor to provide a false positive response including apparent access to the application server resources.
  • a computer-implemented method for causing at least one processor to execute instructions recorded on a computer-readable storage medium may include receiving an access request for access to application server resources of an application server.
  • the computer-implemented method may further include determining that the access request is unauthorized; and providing a false positive response including apparent access to the application server resources.
  • a computer program product may be tangibly embodied on a computer-readable medium and may include instructions that, when executed, are configured to cause at least one processor to receive an access request for access to application server resources of an application server, determine that the access request is unauthorized, and provide a false positive response including apparent access to the application server resources.
  • FIG. 1 is a system for providing false positive responses to potential unauthorized access requests.
  • FIG. 2 is a flowchart illustrating example operations of the system of FIG. 1 .
  • FIG. 3 is a flowchart illustrating example operations related to example configurations of the system of FIG. 1 .
  • FIG. 4 is a flowchart illustrating example implementations of executions of the system of FIG. 1 .
  • FIG. 1 is a block diagram of a system 100 for providing false positive responses to potentially unauthorized access requests.
  • the system 100 may deceive unauthorized users into believing, at least for a period of time, that their unauthorized access attempts have not been detected as such. Consequently, it may be more difficult (e.g., more time-consuming and/or more resource intensive) for unauthorized users to gain authorized access.
  • the unauthorized users may be content with obtained results, and may cease, at least for the time being, further access attempts.
  • the unauthorized users may continue to interact with the falsely-provided resources, so that, for example, such interactions may be tracked by operators of the system 100 , in order, e.g., to conduct legal proceedings against, or otherwise deter or stop, the unauthorized users.
  • a deception manager 102 may be configured to interact with a client computer 104 , where the client computer 104 may be understood to represent a source of access requests which may be malicious, unauthorized, or otherwise undesirable. As described in detail herein, the deception manager 102 may be configured to access a knowledge base 106 in order to determine whether, in fact, access requests received from the client computer 104 are malicious, unauthorized, or otherwise undesirable.
  • the deception manager 102 may utilize the knowledge base 106 in conjunction with a decoy server 108 , in order to thereby provide a deceptive false positive result to any such undesirable (or potentially undesirable) access request.
  • illegitimate users of the client computer 104 may be deceived into believing that unauthorized access requests have been successful and/or have not been detected as such, while all along failing to achieve the desired unauthorized results.
  • the deception manager 102 and the client computer 104 may be in communications with one another using any suitable or relevant communication techniques.
  • the deception manager 102 and the client computer 104 may communicate over any suitable computer network, including a public network (e.g., the public internet, or secured portions thereof), or a private network (e.g., a corporate intranet).
  • a public network e.g., the public internet, or secured portions thereof
  • a private network e.g., a corporate intranet
  • the deception manager 102 may be associated with a plurality of network resources, and the deception manager 102 may represent, or be included in, a common point of entry for all access requests and other communications from external network devices, including the client computer 104 .
  • the deception manager 102 may be executed in the context of, in conjunction with, or as part of an otherwise conventional firewall device.
  • firewall devices by themselves, or generally well known to provide security-related functionality, including, e.g., encryption/decryption of data, username/password maintenance and management, and various other known functions related to maintaining a confidentiality, validity, and authorization of, or related to, communications between external network devices and underlying, backend network resources.
  • the client computer 104 has been configured to guess, deduce, or otherwise determine a proper form and/or content of an access request that might be authorized by the deception manager 102 .
  • the client computer 104 may be configured to make repeated, random attempts to establish the form and content of such access requests, until, by process of elimination, a proper access request is determined.
  • the deception manager 102 may be configured to detect such unauthorized access requests, by providing a false positive result thereto, thereby deceiving the operator of the client computer 104 into believing that the unauthorized access request was successful.
  • the deception manager 102 may route the unauthorized access requests and subsequent communications from the client computer 104 to the decoy server 108 , which may be configured to respond to the unauthorized access requests and subsequent communications in a manner which mimic actual communications that would have been provided by the illegitimately-requested network resource.
  • the operator of the client computer 104 may continue to interact with the decoy server 108 for some period of time, until determining or guessing that the decoy server 108 represents a false positive, or until otherwise deciding to cease interactions with the decoy server 108 .
  • a logging engine 110 may be configured to record actions and other communications associated with the operator of the client computer 104 . Accordingly, the system 100 may facilitate legal actions against the operator of the client computer 104 . In other examples, as described in more detail below, the logging engine 110 may enable improved performance of the system 100 in future attempts to detect and respond to unauthorized access requests.
  • an application server 112 is illustrated as an example of network resources which might be a target for unauthorized access by the operator of the client computer 104 .
  • the application server 112 may be associated with a plurality of ports, illustrated in the example of FIG. 1 as ports 114 A, 114 B.
  • Such ports may include or represent, for example, logical/virtual points of connection for direct communications between two applications, without requiring an intermediate file or other storage associated with an IP address of the host, as well as the type of protocol used for communication.
  • the protocols that primarily use the ports are the Transport Layer protocols, such as the Transmission Control Protocol (TCP) and the User Datagram Protocol (UDP) of the Internet Protocol Suite.
  • TCP Transmission Control Protocol
  • UDP User Datagram Protocol
  • a port is identified for each address and protocol by a 16-bit number, commonly known as the port number.
  • the ports 114 A, 114 B may be configured to provide specific types of data connections such that each specific type of communication may be associated with one or more of the ports.
  • individual ports may be associated with specific numbers designated as corresponding to specific types of network communications.
  • ports may be associated with FTP (file transfer protocol), telnet, or BGP (border gateway protocol), to name a few.
  • an operator of the application server 112 and/or the deception manager 102 may wish to utilize a subset of available ports for legitimate communications with a desired or intended audience. For example, out of hundreds or thousands of available ports, a dozen or more may be designated as being open so as to conduct legitimate communications. Consequently, in conventional scenarios, the remaining ports may be closed.
  • the client computer 104 may be configured to execute port scanning software which scans all ports of the application server 112 , in order to identify one or more of the subset of available ports which have been configured to be open for data communications. If successful in identifying such open ports, which would otherwise normally be available only to legitimate users notified of the availability thereof, the operator of the client computer 104 may proceed to execute unauthorized or undesired communications using the discovered-open ports.
  • a second subset of ports which are not needed for legitimate communications with an intended audience, may nonetheless be designated as being open for communications, in conjunction with operations of the deception manager 102 .
  • an operator of the client computer 104 utilizing port scanning software may believe that an open port has been discovered, when in fact the discovered and apparently open port represents a false positive provided by the deception manager 102 for purposes of deceiving the operator of the client computer 104 as described herein.
  • the port 114 A is designated as being open for legitimate communications in association with operations of the applications server 112
  • the port 114 B may not be required for such legitimate communications, but may nonetheless be falsely designated as open for purposes of deceiving the operator of the client computer 104 .
  • the operator of the client computer 104 may scan all available ports, in an attempt to conduct unauthorized communications therewith.
  • the deception manager 102 may deduce or determine that any associated access request are unauthorized, and may therefore route such access requests and associated communications to the decoy server 108 , which may be configured to mimic operations of the application server 112 and thereby deceive the operator of the client computer 104 .
  • the operator of the client computer 104 may nonetheless be unable to determine which of the ports represent an actual open port. Similarly, even if the operator of the client computer 104 initially discovers the open port 114 A, then knowledge of the potential use of the deception manager 102 may cause the operator of the client computer 104 to doubt an authenticity of any subsequent communications with the application server 112 .
  • the deception manager 102 may confuse or otherwise hinder the operator of the client computer 104 , and may therefore cause such port-based attacks to be less fruitful for the operator of the client computer 104 , and therefore less likely to occur and/or do harm.
  • the logging engine 110 may be utilized to track and record such interactions, so as to facilitate legal action and/or future deterrence efforts with respect to the operator of the client computer 104 .
  • the application server 112 may be configured to execute an application 116 .
  • the application 116 and the application server 112 may represent virtually any such application which may be made available over a network.
  • the application 116 may be associated with a commercial website designed for executing retail transactions over the public internet.
  • the application 116 may represent business software designed to support and otherwise facilitate operations of an enterprise.
  • many other examples of the application 116 exist, and would be well known to one of skill in the art.
  • the client computer 104 may be configured to execute application-specific attacks against the application 116 .
  • the application 116 may be protected through the use of authorized username/password combinations which are required to be entered by authorized users prior to providing certain types of access (e.g., administrative access) to the application 116 .
  • the client computer 104 may be configured to guess, deduce, or determine such username/password combinations (e.g., using random character combinations as part of a process of elimination), so as to thereby gain unauthorized access to operations of the application 116 .
  • Various other types of application-level attacks may be launched by the client computer 104 .
  • directory traversal attacks may be implemented in which resource locators (e.g., uniform resource locators or URLs, utilized in the context of an address bar of a conventional web browser) are manipulated by the client computer 104 in an attempt to guess an otherwise unavailable file or folder stored using the application 116 and/or the application server 112 .
  • resource locators e.g., uniform resource locators or URLs, utilized in the context of an address bar of a conventional web browser
  • the operator of the client computer 104 may traverse a directory structure of the application 116 , and thereby identify resources which have not been made publicly available, and may therefore be thought to be safe from, or inaccessible by, unauthorized users.
  • the application server 112 may provide a domain of websites and associated applications 116 , many of which may be configured to publicly accessible, e.g., through the use of hyperlinks.
  • an operator or administrator of the application server 112 may include private webpages which may be used, e.g., for administration and management of the various related websites and applications, and/or for management of private data, e.g., customer data.
  • Such non-public sites may be associated with specific, non-public uniform resource locators (URLs).
  • URLs uniform resource locators
  • an example public webpage www.homepage.com may be associated with non-public webpages, e.g., www.homepage.com/customer_data or www.homepage.com/admin_page.
  • an operator of the client computer 104 may enter, guess, or otherwise determine, using the base website name www.homepage.com, such pages which are designed and intended to be non-public. Subsequently, the operator of the client computer 104 , in conventional systems, may thereafter be enabled to access or modify data in an illegitimate or unauthorized manner.
  • the application 116 may include a conventional controller 116 A and associated page model 116 B.
  • the controller 116 A may be understood to receive inputs from users, consult the page model 116 B, and return desired information or functionality to the requesting user.
  • the operator of the client computer 104 may seek to hijack or otherwise utilize operations of the controller 116 A and page model 116 B in order to obtain desired, illegitimate results.
  • the operator of the client computer 104 may modify client-side scripts designed to be executed at the client computer 104 , to thereby cause the client-side scripting to instead modify general operations of the controller 116 A.
  • the operator of the client computer 104 may use script design to be viewed and used only at the specific client computer 104 to affect operations of the application 116 as viewed and utilized by many or all other users thereof.
  • the page model 116 B includes, or is associated with a database, such as a database managed using the popular structured query language (SQL).
  • SQL is a popular database management language which enables users to modify (update, delete), maintain, or otherwise manage large relational databases.
  • the operator of the client computer 104 may utilize a technique known as SQL injection to include SQL commands in otherwise normal interactions with the controller 116 A.
  • the operator of the client computer 104 may modify normal or expected user inputs to include illicit or unauthorized SQL commands, so that the controller 116 A may thereafter execute the unauthorized SQL commands.
  • the operator of the client computer 104 may include an SQL command to delete an entire table of customer data from data associated with the model 116 B. In this way, the operator of the client computer 104 may disrupt operators of the application 116 , or otherwise gain unauthorized responses from the application 116 .
  • the various attack techniques referred above, and related attack techniques may be associated with known software for performing the functions described above.
  • software known as John the Ripper is utilized to generate potential passwords in order to gain access to a password protected system.
  • known attack software may be included in, or utilized in conjunction with, support tools/plug-ins 118 .
  • the support tools/plug-ins 118 may be utilized by the knowledge base 106 in order to update and configure the knowledge base 106 for subsequent consultation thereof by the deception manager 102 when evaluating access requests from the client computer 104 .
  • the knowledge base 106 also may be updated based on information stored in a log-in database 120 , which may be updated based on operations of the logging engine 110 during execution of monitoring and tracking interactions of the client computer 104 with the decoy server 108 , as described herein.
  • the login database 120 may be utilized by, or in conjunction with, the knowledge base 106 , so as to maintain an updated version of the knowledge base 106 which is thereby configured to instruct the deception manager 102 in a timely and accurate fashion with respect to evaluations of access requests from the client computer 104 .
  • a request handler 122 A, 122 B may be configured to receive access requests from the various computers, including the client computer 104 .
  • the deception manager 102 may be implemented in conjunction with, or as part of, a firewall device which is positioned on a network to receive all access requests destined for the applications server or other network resources. Consequently, the request handler 122 A may be well-positioned to intercept or otherwise receive access requests from the client computer 104 .
  • the request handler 122 A may consult with the knowledge base 106 , in order to, e.g., determine that a given access request is unauthorized. Consequently, a response manager 124 A may be configured to execute an appropriate response, including routing current feature communications from the client computer 104 originating an authorized request to the decoy server 108 .
  • the response manager 124 A may be configured to execute in conjunction with, or as part of, a reverse proxy, which is conventionally used to perform load balancing and/or fail over functionality using a plurality of backend servers.
  • the response manager 124 B may be configured to utilize similar functionality for the purpose of routing the unauthorized access requests and subsequent communications from the client computer 104 to the decoy server 108 , which is configured to mimic operations of the requested network resource, e.g., the application server 112 .
  • the request handler 122 A may include a probe detector 126 which is configured to detect port scanning operations of the client computer 104 with respect to the ports 114 A, 114 B. For example, as described above, it may occur that the port 114 A is configured to be open for purposes of legitimate data traffic, while the port 114 B may not be required for legitimate data traffic, yet may be configured to be open nonetheless.
  • the probe detector 126 may determine, in conjunction with the knowledge base 106 , that the port 114 B has been configured to be open only for the purposes of deceiving the operator of the client computer 104 submitting the unauthorized access request.
  • the password system 128 of the request handler 122 A may be configured to receive a false password from the client computer 104 , and to thereby determine that the client computer 104 is attempting to gain unauthorized access, e.g., to the application 116 .
  • the password system 128 may be configured to generate a number of false usernames and/or passwords in conjunction with, e.g., and addition to any actual, authorized username/password combinations which may exist with respect to the application 116 .
  • the request handler 122 A may be configured to determine an unauthorized nature of an authorized access request received from the client computer 104 .
  • the response manager 124 may be configured to route the unauthorized access request and subsequent communications to the decoy server 108 , as described herein.
  • the request handler 122 A may mistakenly identify an unauthorized access request as being authorized and permissible. Similarly, the request handler 122 A may come to an indeterminate result in its attempt to classify a specific access request as authorized or unauthorized.
  • a deceiver library agent 130 may be configured to identify the access request as being unauthorized, in conjunction with the request handler 122 B.
  • a number of known techniques exist for detecting SQL injection attempts, and the various other application-level attacks described above, and related attack types.
  • input validation and sanitization techniques exist which enable detection of embedded SQL commands, so that associated user inputs may be sanitized (i.e., may have the offending SQL injection attempts removed, or have the entirety of the associated user input dropped).
  • the response manager 124 B in conjunction with the deceiver library 130 , may be configured to recognize unauthorized access requests associated with the types of attacks described above, and thereafter inform the response manager 124 A of the deception manager 102 to route the unauthorized access requests and subsequent communications from the client computer 104 to the decoy server 108 .
  • the system 100 may be configured to send false success responses for code areas which are normally out of bounds of firewalls or intrusion detection systems. This allows, for example, for sending a response code in response to directory traversals, which may thereby confuse attackers, and render their attack methods useless.
  • the decoy server 108 may be utilized to pretend that a received SQL injection was successful, while not breaking the normal behavior of the application 116 in conjunction with separate, legitimate access requests.
  • FIG. 1 illustrates an example block diagram of a system 100 , in which the various functional blocks are illustrated and described as shown.
  • the system 100 of FIG. 1 is intended merely for the sake of an example, and that many additional or alternative implementations may be provided.
  • components illustrated at one location in the example of FIG. 1 may be implemented, in whole or in part, at a different location thereof.
  • any single component of the example of FIG. 1 may be executed using two or more components which each perform a corresponding subset of functionalities of the singular, illustrated components.
  • any two or more of the components of FIG. 1 may be executed using a single component.
  • FIG. 2 is a flowchart 200 illustrating example operations of the system 100 of FIG. 1 .
  • operations 202 - 206 are illustrated as separate, sequential operations. However, it may be appreciated that additional or alternative implementations, the operations 202 - 206 may be performed in a partially or completely overlapping or parallel manner, and/or may be implemented in a nested, iterative, or looped fashion. Moreover, additional or alternative operations may be included, while one or more operations may be deleted.
  • an access request for access to application server resources of an application server may be received ( 202 ).
  • the request handler 122 A, 122 B may receive such an access request with respect to the application 116 of the application server 112 , and/or with respect to the various ports 114 A, 114 B associated therewith.
  • the probe scanner 126 may receive a port request from the client computer 104 for access to the closed 114 B.
  • the password system 128 may receive a false username/password from the client computer 104 .
  • the request handler 122 B may receive an access request with respect to the application 116 which is part of a directory traversal attack, client-side scripting attack, or SQL injection attack.
  • the access request may be determined to be unauthorized ( 204 ).
  • the request handlers 122 A, 122 B, or components thereof may consult with the knowledge base 106 to determine that a given access request is unauthorized.
  • the probe scanner 126 may consult the knowledge base 106 to determine that the requested port (e.g., port 114 B), is open only for purposes of deceiving unauthorized users.
  • the password system 128 may operate in conjunction with the knowledge base 106 and the associated support tools/plug-ins 118 which may provide information useful in identifying receipt of false passwords.
  • the request handler 122 B at the application 116 may determine that the access request is associated with a directory traversal attack, client-side scripting attack, or SQL injection attack, in conjunction with the deceiver library agent 130 .
  • a false positive response including apparent access to the application server resources may be provided ( 206 ).
  • the response manager 124 A, 124 B may be configured to route the unauthorized access request and subsequent communications from the client computer 104 to the decoy server 108 .
  • the decoy server 108 may be configured to deceive the operator of the client computer 104 into believing that he or she has access to the desired application resources.
  • the logging engine 110 may be configured to track and monitor interactions of the operator of the client computer 104 with the decoy server 108 , so as to assist in future deterrence of the same or future attackers, or for instituting legal or other action against the operator of the client computer 104 .
  • FIG. 3 is a flowchart 300 illustrating example operations associated with configuring the system 100 of FIG. 1 .
  • the example of FIG. 3 illustrates actions which might be taken by an operator or administrator of the deception manager 102 , the application server, and/or various other components of the system 100 in communication with the client computer 104 .
  • false open ports may be configured ( 302 ).
  • the port 114 B which is not desired or needed for actual, authorized network communications, may nonetheless be designated as open for purposes of deceiving the operator of the client computer 104 .
  • a number of available ports associated with the application server 112 may range, for example, in the hundreds or thousands. Consequently, it may be desirable to determine a number or percentage of closed ports to be designated as open. For example, during legitimate operations with the application server 112 , it may occur that only a small number of available ports are desired for the authorized operations of the application server 112 . Then, an operator or administrator of the system 100 may decide a number or percentage of the remaining ports to be designated as being open.
  • the deception manager 102 inasmuch as it may be appreciated that the goal of the deception manager 102 is to deceive the operator of the client computer 104 with respect to mimicking of the application server 112 by the decoy server 108 . Therefore, it may not be desirable to designate all closed ports as being open, since, or to the extent that it is unusual to open all ports in conjunction with operations of the application server 112 . Rather, the number of ports to be left open might be selected based on a desire to flood the operator of the client computer 104 with erroneous results, while at the same time not alerting the operator of the client computer 104 to the presence of such deception by simply opening all available ports.
  • False passwords may be configured ( 304 ).
  • the knowledge base 106 may interact with the support tools/plug-ins 118 to determine the types of passwords which might be selected by the operator of the client computer 104 in attempting to gain access to the application 116 .
  • the password system 128 may be configured to generate false passwords which are related to, or similar to, actual passwords of authorized users.
  • the password manager 128 may be configured to receive access requests from the operator of the client computer 104 in conjunction with such standard passwords, used in the example by the password manager 128 as false passwords designed to deceive the operator of the client computer 104 into interacting harmlessly with the decoy server 108 .
  • the password manager 128 may consult the knowledge base 106 or other appropriate resource in order to consider the possibility that such standard passwords have been utilized by an authorized user (i.e., even in cases where these passwords have been stored as potential false passwords). In such cases, the password manager 128 may consider the received password to be legitimate for purposes of granting the immediate access request, but may instruct the request handler 122 b of the application 116 to more carefully inspect subsequent application-related requests for potential unauthorized activity.
  • the deceiver library agent 130 may be configured for each application ( 306 ). That is, as referenced above, the request handler 122 B, the response manager 124 B, and the deceiver library agent 130 may be desired or required to be implemented in the context of the corresponding specific application. For example, such implementations may be desired or necessary when using otherwise conventional tools to detect the types of attacks referenced above.
  • the knowledge base 106 may be configured to provide a desired response ( 308 ).
  • the response manager 124 may be configured to consult the knowledge base 106 in order to determine a desired response in addition or alternative to the rerouting of communications of the operator of the client computer 104 to the decoy server 108 .
  • the knowledge base 106 may be configured to designate a false positive response on the part of the deception manager 102 including a return message to the operator of a client computer 104 that access has been granted but delayed due to certain specified or un-specified reasons.
  • the knowledge base 106 may be configured to cause the response manager 124 A to provide a false positive response in addition or alternative to rerouting of the unauthorized access requests and associated communications to the decoy server 108 .
  • the plug-in/support tools 118 may be used by the knowledge base 106 to maintain current, up-to-date techniques for monitoring access requests and responding thereto.
  • the deception manager may be configured to access the knowledge base ( 310 ).
  • the request handler 122 A and the response manager 124 A may be configured to utilize one or more appropriate application programming interfaces (APIs) to access the knowledge base 106 .
  • the decoy server 108 may be configured to implement a desired response ( 312 ).
  • the decoy server 108 may be configured to mimic the application 116 or other desired application resource. Consequently, the experience of the operator of a client computer 104 may be entirely consistent with an experience of interacting directly with the application 116 .
  • the decoy server 108 may be configured to provide various inconveniences to the operator of a client computer 104 in illegal or otherwise improper communications with the decoy server 108 .
  • the decoy server 108 need not mimic the application 116 exactly, but, rather, may be configured to act in ways which inconvenience the operator of the client computer 104 , and/or which encourage the operator of the client computer 104 to continue interacting with the decoy server 108 , so that the logging engine 110 may execute its desired purpose.
  • FIG. 4 is a flowchart 400 illustrating example executions of the system 100 of FIG. 1 .
  • a port access request may be received ( 402 ).
  • the probe scanner 126 may receive a request from the client computer 104 for either the port 114 A or the port 114 B.
  • the probe scanner 126 may determine that the access request is for a falsely or deceptively open port, and may therefore route the request and subsequent communications from the client computer 104 to the decoy server 108 ( 422 ). Otherwise, if the access request is with respect to the legitimately open port 114 A, then the client computer 104 may be provided with access to the application 116 ( 408 ).
  • the request handler 122 A may receive a request for access to the application 116 or other network resources ( 410 ).
  • the password system 128 may access the knowledge base 106 ( 412 ), in order to judge a legitimacy of the access request. If permitted ( 413 ), application access may be granted. Otherwise ( 413 ), if the application is protected by the password system 128 ( 410 ), then upon receipt of a username/password combination ( 414 ), the password system 128 may determine whether the received password represents a false password ( 416 ).
  • the password system 128 may route the access request and subsequent communications from the client computer 104 to the decoy server 108 ( 422 ). Otherwise, as referenced above, it may be difficult for the request handler 122 A, even in conjunction with the knowledge base 106 , to determine whether application-specific requests are legitimate or not. Consequently, as described above, the request handler 122 A may provide initial access to the application 116 ( 408 ), while at the same time ensuring operations of the request handler 122 B and the deceiver library agent 130 with respect to the access request.
  • the request handler 122 B may receive the access request and access the deceiver library agent 130 ( 418 ), so as to thereby determine whether the access request is unauthorized ( 420 ). If no such determination is made, then application access may continue to be provided ( 408 ).
  • the request handler 122 B in conjunction with the deceiver library agent 130 , may determine that the access request is associated with one or more types of attacks referenced above, e.g., directory traversal attacks, client-side scripting attacks, or SQL injection attacks.
  • the response manager 124 B may route current and future access requests with respect to the application 116 back to the response manager 124 A at the deception manager 102 , for routing thereof to the decoy server 108 ( 422 ).
  • the preconfigured response plan for any of the above-referenced types of attacks may be implemented ( 424 ).
  • the logging engine 110 may be configured to monitor and track interactions between the client computer 104 and the decoy server 108 , and to thereby update log-in data 120 accordingly.
  • various other actions including legal actions and/or warnings or other messages to the client computer 104 , also may be implemented.
  • the logging data 120 may be utilized to update the knowledge base 106 ( 426 ), so as to thereby maintain the knowledge base 106 using current, up-to-date information regarding existing attack techniques.
  • Implementations of the various techniques described herein may be implemented in digital electronic circuitry, or in computer hardware, firmware, software, or in combinations of them. Implementations may implemented as a computer program product, i.e., a computer program tangibly embodied in an information carrier, e.g., in a machine-readable storage device or in a propagated signal, for execution by, or to control the operation of, data processing apparatus, e.g., a programmable processor, a computer, or multiple computers.
  • data processing apparatus e.g., a programmable processor, a computer, or multiple computers.
  • a computer program such as the computer program(s) described above, can be written in any form of programming language, including compiled or interpreted languages, and can be deployed in any form, including as a stand-alone program or as a module, component, subroutine, or other unit suitable for use in a computing environment.
  • a computer program can be deployed to be executed on one computer or on multiple computers at one site or distributed across multiple sites and interconnected by a communication network.
  • Method steps may be performed by one or more programmable processors executing a computer program to perform functions by operating on input data and generating output. Method steps also may be performed by, and an apparatus may be implemented as, special purpose logic circuitry, e.g., an FPGA (field programmable gate array) or an ASIC (application-specific integrated circuit).
  • FPGA field programmable gate array
  • ASIC application-specific integrated circuit
  • processors suitable for the execution of a computer program include, by way of example, both general and special purpose microprocessors, and any one or more processors of any kind of digital computer.
  • a processor will receive instructions and data from a read-only memory or a random access memory or both.
  • Elements of a computer may include at least one processor for executing instructions and one or more memory devices for storing instructions and data.
  • a computer also may include, or be operatively coupled to receive data from or transfer data to, or both, one or more mass storage devices for storing data, e.g., magnetic, magneto-optical disks, or optical disks.
  • Information carriers suitable for embodying computer program instructions and data include all forms of non-volatile memory, including by way of example semiconductor memory devices, e.g., EPROM, EEPROM, and flash memory devices; magnetic disks, e.g., internal hard disks or removable disks; magneto-optical disks; and CD-ROM and DVD-ROM disks.
  • semiconductor memory devices e.g., EPROM, EEPROM, and flash memory devices
  • magnetic disks e.g., internal hard disks or removable disks
  • magneto-optical disks e.g., CD-ROM and DVD-ROM disks.
  • the processor and the memory may be supplemented by, or incorporated in special purpose logic circuitry.
  • implementations may be implemented on a computer having a display device, e.g., a cathode ray tube (CRT) or liquid crystal display (LCD) monitor, for displaying information to the user and a keyboard and a pointing device, e.g., a mouse or a trackball, by which the user can provide input to the computer.
  • a display device e.g., a cathode ray tube (CRT) or liquid crystal display (LCD) monitor
  • keyboard and a pointing device e.g., a mouse or a trackball
  • Other kinds of devices can be used to provide for interaction with a user as well; for example, feedback provided to the user can be any form of sensory feedback, e.g., visual feedback, auditory feedback, or tactile feedback; and input from the user can be received in any form, including acoustic, speech, or tactile input.
  • Implementations may be implemented in a computing system that includes a back-end component, e.g., as a data server, or that includes a middleware component, e.g., an application server, or that includes a front-end component, e.g., a client computer having a graphical user interface or a Web browser through which a user can interact with an implementation, or any combination of such back-end, middleware, or front-end components.
  • Components may be interconnected by any form or medium of digital data communication, e.g., a communication network. Examples of communication networks include a local area network (LAN) and a wide area network (WAN), e.g., the Internet.
  • LAN local area network
  • WAN wide area network

Abstract

A request handler may receive an access request for access to application server resources of an application server and determine that the access request is unauthorized. A response manager may provide a false positive response including apparent access to the application server resources.

Description

TECHNICAL FIELD
This description relates to computer security.
BACKGROUND
Malicious and other illegitimate potential users of network computing resources may attempt to gain unauthorized access to such computing resources, using a variety of techniques. For example, such unauthorized users, sometimes referred to as hackers, may attempt to gain access to data or other resources which have been made available on the network in a manner intended to provide secure, confidential access to a limited set of authorized users. In particular examples, companies may provide public websites designed to interact with customers and potential customers, and hackers may attempt to modify such websites in undesired manners, and/or to modify or otherwise access confidential data used to support functionality of related websites. Meanwhile, current trends in network usage include greater usage of web-based/cloud-based applications, including the use of network-based data storage. Consequently, such trends provide increased high-value targets for hackers and other unauthorized users.
SUMMARY
According to one general aspect, a computer system may include instructions recorded on a computer-readable storage medium and readable by at least one processor. The system may include a request handler configured to cause the at least one processor to receive an access request for access to application server resources of an application server and to determine that the access request is unauthorized, and a response manager configured to cause the at least one processor to provide a false positive response including apparent access to the application server resources.
According to another general aspect, a computer-implemented method for causing at least one processor to execute instructions recorded on a computer-readable storage medium may include receiving an access request for access to application server resources of an application server. The computer-implemented method may further include determining that the access request is unauthorized; and providing a false positive response including apparent access to the application server resources.
According to another general aspect, a computer program product may be tangibly embodied on a computer-readable medium and may include instructions that, when executed, are configured to cause at least one processor to receive an access request for access to application server resources of an application server, determine that the access request is unauthorized, and provide a false positive response including apparent access to the application server resources.
The details of one or more implementations are set forth in the accompanying drawings and the description below. Other features will be apparent from the description and drawings, and from the claims.
BRIEF DESCRIPTION OF THE DRAWINGS
FIG. 1 is a system for providing false positive responses to potential unauthorized access requests.
FIG. 2 is a flowchart illustrating example operations of the system of FIG. 1.
FIG. 3 is a flowchart illustrating example operations related to example configurations of the system of FIG. 1.
FIG. 4 is a flowchart illustrating example implementations of executions of the system of FIG. 1.
 DETAILED DESCRIPTION
FIG. 1 is a block diagram of a system 100 for providing false positive responses to potentially unauthorized access requests. By providing such false positive responses, the system 100 may deceive unauthorized users into believing, at least for a period of time, that their unauthorized access attempts have not been detected as such. Consequently, it may be more difficult (e.g., more time-consuming and/or more resource intensive) for unauthorized users to gain authorized access. Moreover, to the extent that the unauthorized users are deceived into believing that they have gained actual, desired access to system resources, the unauthorized users may be content with obtained results, and may cease, at least for the time being, further access attempts. Still further, to the extent that the unauthorized users are deceived into believing that they have gained desired, actual access, the unauthorized users may continue to interact with the falsely-provided resources, so that, for example, such interactions may be tracked by operators of the system 100, in order, e.g., to conduct legal proceedings against, or otherwise deter or stop, the unauthorized users.
In the example of FIG. 1, a deception manager 102 may be configured to interact with a client computer 104, where the client computer 104 may be understood to represent a source of access requests which may be malicious, unauthorized, or otherwise undesirable. As described in detail herein, the deception manager 102 may be configured to access a knowledge base 106 in order to determine whether, in fact, access requests received from the client computer 104 are malicious, unauthorized, or otherwise undesirable.
Further, the deception manager 102 may utilize the knowledge base 106 in conjunction with a decoy server 108, in order to thereby provide a deceptive false positive result to any such undesirable (or potentially undesirable) access request. As a result, as referenced above and as described in detail herein, illegitimate users of the client computer 104 may be deceived into believing that unauthorized access requests have been successful and/or have not been detected as such, while all along failing to achieve the desired unauthorized results. Consequently, such illegitimate users may be hindered or prevented from achieving such desired, unauthorized results, while legitimate users and/or providers may continue to receive desired access in a convenient manner, while experiencing limited or no inconveniences associated with the illegitimate access request received from the unauthorized users of the client computer 104.
In practice, it may be appreciated that the deception manager 102 and the client computer 104 may be in communications with one another using any suitable or relevant communication techniques. For example, the deception manager 102 and the client computer 104 may communicate over any suitable computer network, including a public network (e.g., the public internet, or secured portions thereof), or a private network (e.g., a corporate intranet).
For example, as described in more detailed examples below, the deception manager 102 may be associated with a plurality of network resources, and the deception manager 102 may represent, or be included in, a common point of entry for all access requests and other communications from external network devices, including the client computer 104. For example, in specific implementations, the deception manager 102 may be executed in the context of, in conjunction with, or as part of an otherwise conventional firewall device. Such firewall devices, by themselves, or generally well known to provide security-related functionality, including, e.g., encryption/decryption of data, username/password maintenance and management, and various other known functions related to maintaining a confidentiality, validity, and authorization of, or related to, communications between external network devices and underlying, backend network resources.
Thus, in the examples described herein, it is assumed that the client computer 104 has been configured to guess, deduce, or otherwise determine a proper form and/or content of an access request that might be authorized by the deception manager 102. For example, the client computer 104 may be configured to make repeated, random attempts to establish the form and content of such access requests, until, by process of elimination, a proper access request is determined. As described herein, the deception manager 102 may be configured to detect such unauthorized access requests, by providing a false positive result thereto, thereby deceiving the operator of the client computer 104 into believing that the unauthorized access request was successful.
In order to perpetuate this deception, the deception manager 102 may route the unauthorized access requests and subsequent communications from the client computer 104 to the decoy server 108, which may be configured to respond to the unauthorized access requests and subsequent communications in a manner which mimic actual communications that would have been provided by the illegitimately-requested network resource. As a result, the operator of the client computer 104 may continue to interact with the decoy server 108 for some period of time, until determining or guessing that the decoy server 108 represents a false positive, or until otherwise deciding to cease interactions with the decoy server 108. During such interactions, a logging engine 110 may be configured to record actions and other communications associated with the operator of the client computer 104. Accordingly, the system 100 may facilitate legal actions against the operator of the client computer 104. In other examples, as described in more detail below, the logging engine 110 may enable improved performance of the system 100 in future attempts to detect and respond to unauthorized access requests.
In the example of FIG. 1, an application server 112 is illustrated as an example of network resources which might be a target for unauthorized access by the operator of the client computer 104. As shown, and as is well known, the application server 112 may be associated with a plurality of ports, illustrated in the example of FIG. 1 as ports 114A, 114B.
Such ports may include or represent, for example, logical/virtual points of connection for direct communications between two applications, without requiring an intermediate file or other storage associated with an IP address of the host, as well as the type of protocol used for communication. The protocols that primarily use the ports are the Transport Layer protocols, such as the Transmission Control Protocol (TCP) and the User Datagram Protocol (UDP) of the Internet Protocol Suite. A port is identified for each address and protocol by a 16-bit number, commonly known as the port number.
Thus, the ports 114A, 114B may be configured to provide specific types of data connections such that each specific type of communication may be associated with one or more of the ports. In practice, individual ports may be associated with specific numbers designated as corresponding to specific types of network communications. For example, ports may be associated with FTP (file transfer protocol), telnet, or BGP (border gateway protocol), to name a few.
In practice, an operator of the application server 112 and/or the deception manager 102 may wish to utilize a subset of available ports for legitimate communications with a desired or intended audience. For example, out of hundreds or thousands of available ports, a dozen or more may be designated as being open so as to conduct legitimate communications. Consequently, in conventional scenarios, the remaining ports may be closed.
In the example of FIG. 1, the client computer 104 may be configured to execute port scanning software which scans all ports of the application server 112, in order to identify one or more of the subset of available ports which have been configured to be open for data communications. If successful in identifying such open ports, which would otherwise normally be available only to legitimate users notified of the availability thereof, the operator of the client computer 104 may proceed to execute unauthorized or undesired communications using the discovered-open ports.
In the example of FIG. 1, however, a second subset of ports, which are not needed for legitimate communications with an intended audience, may nonetheless be designated as being open for communications, in conjunction with operations of the deception manager 102. In this way, an operator of the client computer 104 utilizing port scanning software may believe that an open port has been discovered, when in fact the discovered and apparently open port represents a false positive provided by the deception manager 102 for purposes of deceiving the operator of the client computer 104 as described herein.
Thus, in the simplified example of FIG. 1, it may occur that the port 114A is designated as being open for legitimate communications in association with operations of the applications server 112, while the port 114B may not be required for such legitimate communications, but may nonetheless be falsely designated as open for purposes of deceiving the operator of the client computer 104. In such scenarios, then, the operator of the client computer 104 may scan all available ports, in an attempt to conduct unauthorized communications therewith.
Thus, in the example, if the port 114B is discovered, then the deception manager 102 may deduce or determine that any associated access request are unauthorized, and may therefore route such access requests and associated communications to the decoy server 108, which may be configured to mimic operations of the application server 112 and thereby deceive the operator of the client computer 104.
If the operator of the client computer 104 discovers that both ports 114A, 114B are apparently open, then the operator of the client computer 104 may nonetheless be unable to determine which of the ports represent an actual open port. Similarly, even if the operator of the client computer 104 initially discovers the open port 114A, then knowledge of the potential use of the deception manager 102 may cause the operator of the client computer 104 to doubt an authenticity of any subsequent communications with the application server 112.
Thus, by providing false positives in the form of apparently open (but actually closed) ports, the deception manager 102 may confuse or otherwise hinder the operator of the client computer 104, and may therefore cause such port-based attacks to be less fruitful for the operator of the client computer 104, and therefore less likely to occur and/or do harm. To the extent that the operator of the client computer 104 is deceived by the deception manager 102 and the decoy server 108 into continuing communications with the decoy server 108, the logging engine 110 may be utilized to track and record such interactions, so as to facilitate legal action and/or future deterrence efforts with respect to the operator of the client computer 104.
In additional examples, as shown, the application server 112 may be configured to execute an application 116. As is well known, the application 116 and the application server 112 may represent virtually any such application which may be made available over a network. For example, the application 116 may be associated with a commercial website designed for executing retail transactions over the public internet. In other examples, the application 116 may represent business software designed to support and otherwise facilitate operations of an enterprise. Of course, as referenced, many other examples of the application 116 exist, and would be well known to one of skill in the art.
As is also known, in addition to the network-level attacks referenced above with respect to the ports 114A, 114B, the client computer 104 may be configured to execute application-specific attacks against the application 116. For example, the application 116 may be protected through the use of authorized username/password combinations which are required to be entered by authorized users prior to providing certain types of access (e.g., administrative access) to the application 116. Consequently, somewhat similarly to the port-based scanning techniques described above, the client computer 104 may be configured to guess, deduce, or determine such username/password combinations (e.g., using random character combinations as part of a process of elimination), so as to thereby gain unauthorized access to operations of the application 116.
Various other types of application-level attacks may be launched by the client computer 104. For example, directory traversal attacks may be implemented in which resource locators (e.g., uniform resource locators or URLs, utilized in the context of an address bar of a conventional web browser) are manipulated by the client computer 104 in an attempt to guess an otherwise unavailable file or folder stored using the application 116 and/or the application server 112. In other words, the operator of the client computer 104 may traverse a directory structure of the application 116, and thereby identify resources which have not been made publicly available, and may therefore be thought to be safe from, or inaccessible by, unauthorized users.
For example, the application server 112 may provide a domain of websites and associated applications 116, many of which may be configured to publicly accessible, e.g., through the use of hyperlinks. At the same time, an operator or administrator of the application server 112 may include private webpages which may be used, e.g., for administration and management of the various related websites and applications, and/or for management of private data, e.g., customer data. Such non-public sites may be associated with specific, non-public uniform resource locators (URLs). For example, an example public webpage www.homepage.com may be associated with non-public webpages, e.g., www.homepage.com/customer_data or www.homepage.com/admin_page. BY virtue of trial and error processes, or other processes, an operator of the client computer 104 may enter, guess, or otherwise determine, using the base website name www.homepage.com, such pages which are designed and intended to be non-public. Subsequently, the operator of the client computer 104, in conventional systems, may thereafter be enabled to access or modify data in an illegitimate or unauthorized manner.
Various other types of illegitimate access requests and associated attack techniques may be implemented by the operator of the client computer 104. For example, as illustrated, the application 116 may include a conventional controller 116A and associated page model 116B. As is well known, the controller 116A may be understood to receive inputs from users, consult the page model 116B, and return desired information or functionality to the requesting user. In the context of the system 100, the operator of the client computer 104 may seek to hijack or otherwise utilize operations of the controller 116A and page model 116B in order to obtain desired, illegitimate results.
For example, in a technique referred to as client-side scripting (CSS), the operator of the client computer 104 may modify client-side scripts designed to be executed at the client computer 104, to thereby cause the client-side scripting to instead modify general operations of the controller 116A. In other words, the operator of the client computer 104 may use script design to be viewed and used only at the specific client computer 104 to affect operations of the application 116 as viewed and utilized by many or all other users thereof.
In other examples, it may occur that the page model 116B includes, or is associated with a database, such as a database managed using the popular structured query language (SQL). As is known, SQL is a popular database management language which enables users to modify (update, delete), maintain, or otherwise manage large relational databases. In these contexts, the operator of the client computer 104 may utilize a technique known as SQL injection to include SQL commands in otherwise normal interactions with the controller 116A. In other words, the operator of the client computer 104 may modify normal or expected user inputs to include illicit or unauthorized SQL commands, so that the controller 116A may thereafter execute the unauthorized SQL commands. For example, the operator of the client computer 104 may include an SQL command to delete an entire table of customer data from data associated with the model 116B. In this way, the operator of the client computer 104 may disrupt operators of the application 116, or otherwise gain unauthorized responses from the application 116.
In many cases, the various attack techniques referred above, and related attack techniques, may be associated with known software for performing the functions described above. For example, software known as John the Ripper is utilized to generate potential passwords in order to gain access to a password protected system. In the example of FIG. 1, such known attack software may be included in, or utilized in conjunction with, support tools/plug-ins 118. Specifically, as shown, the support tools/plug-ins 118 may be utilized by the knowledge base 106 in order to update and configure the knowledge base 106 for subsequent consultation thereof by the deception manager 102 when evaluating access requests from the client computer 104.
Further, as referenced above, the knowledge base 106 also may be updated based on information stored in a log-in database 120, which may be updated based on operations of the logging engine 110 during execution of monitoring and tracking interactions of the client computer 104 with the decoy server 108, as described herein. Thus, the login database 120 may be utilized by, or in conjunction with, the knowledge base 106, so as to maintain an updated version of the knowledge base 106 which is thereby configured to instruct the deception manager 102 in a timely and accurate fashion with respect to evaluations of access requests from the client computer 104.
Thus, in practice, a request handler 122A, 122B may be configured to receive access requests from the various computers, including the client computer 104. Specifically, with respect to the request handler 122A, as described herein, the deception manager 102 may be implemented in conjunction with, or as part of, a firewall device which is positioned on a network to receive all access requests destined for the applications server or other network resources. Consequently, the request handler 122A may be well-positioned to intercept or otherwise receive access requests from the client computer 104.
As described herein, the request handler 122A may consult with the knowledge base 106, in order to, e.g., determine that a given access request is unauthorized. Consequently, a response manager 124A may be configured to execute an appropriate response, including routing current feature communications from the client computer 104 originating an authorized request to the decoy server 108. For example, as described herein, the response manager 124A may be configured to execute in conjunction with, or as part of, a reverse proxy, which is conventionally used to perform load balancing and/or fail over functionality using a plurality of backend servers.
That is, for example, conventional websites may utilize a number of application servers to provide a single website, so that normal access requests may be routed among the various available servers in a balanced fashion, and/or may be handled appropriately even if one or more available servers fails. However, in the example of FIG. 1, the response manager 124B, as described herein, may be configured to utilize similar functionality for the purpose of routing the unauthorized access requests and subsequent communications from the client computer 104 to the decoy server 108, which is configured to mimic operations of the requested network resource, e.g., the application server 112.
In the example of FIG. 1, and consistent with the examples provided above, the request handler 122A may include a probe detector 126 which is configured to detect port scanning operations of the client computer 104 with respect to the ports 114A, 114B. For example, as described above, it may occur that the port 114A is configured to be open for purposes of legitimate data traffic, while the port 114B may not be required for legitimate data traffic, yet may be configured to be open nonetheless.
Subsequently, upon receipt of an access request with respect to the port 114B from the client computer 104, the probe detector 126 may determine, in conjunction with the knowledge base 106, that the port 114B has been configured to be open only for the purposes of deceiving the operator of the client computer 104 submitting the unauthorized access request. Similarly, the password system 128 of the request handler 122A may be configured to receive a false password from the client computer 104, and to thereby determine that the client computer 104 is attempting to gain unauthorized access, e.g., to the application 116. That is, for example, it may occur that the password system 128 may be configured to generate a number of false usernames and/or passwords in conjunction with, e.g., and addition to any actual, authorized username/password combinations which may exist with respect to the application 116.
Then, in such examples, it may be appreciated that actual users of the application 116 may submit their normal, authorized username/password combination in order to gain desired access to the application 116. At the same time, such authorized users may be unaware of the existence of a plurality of false username/password combinations, which exist only to deceive the operator of the client computer 104 into believing that a desired, unauthorized access to the application 116 has been achieved.
Thus, in conjunction with both the probe detector 126 and the password system 128, it may be appreciated that the request handler 122A may be configured to determine an unauthorized nature of an authorized access request received from the client computer 104. Thereupon, the response manager 124 may be configured to route the unauthorized access request and subsequent communications to the decoy server 108, as described herein.
In many cases, however, the request handler 122A may mistakenly identify an unauthorized access request as being authorized and permissible. Similarly, the request handler 122A may come to an indeterminate result in its attempt to classify a specific access request as authorized or unauthorized.
In particular, with respect to the case of application-level attacks referenced above, including, e.g., directory traversal attacks, client-side scripting attacks, and/or SQL injection attacks, it may be difficult or impossible for the request handler 122A located at the deception manager 122 to identify an unauthorized nature of such access requests, and related access requests.
In particular, such types of access requests may be particular to a context of the application 116 itself, and therefore may be difficult or impossible to detect at a network level by the deception manager 102. Then, in the example of FIG. 1, a deceiver library agent 130 may be configured to identify the access request as being unauthorized, in conjunction with the request handler 122B. For example, a number of known techniques exist for detecting SQL injection attempts, and the various other application-level attacks described above, and related attack types. For example, input validation and sanitization techniques exist which enable detection of embedded SQL commands, so that associated user inputs may be sanitized (i.e., may have the offending SQL injection attempts removed, or have the entirety of the associated user input dropped).
In the example of FIG. 1, however, rather than dropping sanitized user inputs, the response manager 124B, in conjunction with the deceiver library 130, may be configured to recognize unauthorized access requests associated with the types of attacks described above, and thereafter inform the response manager 124A of the deception manager 102 to route the unauthorized access requests and subsequent communications from the client computer 104 to the decoy server 108.
Thus, the system 100 may be configured to send false success responses for code areas which are normally out of bounds of firewalls or intrusion detection systems. This allows, for example, for sending a response code in response to directory traversals, which may thereby confuse attackers, and render their attack methods useless. Similarly, the decoy server 108 may be utilized to pretend that a received SQL injection was successful, while not breaking the normal behavior of the application 116 in conjunction with separate, legitimate access requests.
FIG. 1 illustrates an example block diagram of a system 100, in which the various functional blocks are illustrated and described as shown. Of course, it may be appreciated that the system 100 of FIG. 1 is intended merely for the sake of an example, and that many additional or alternative implementations may be provided.
For example, components illustrated at one location in the example of FIG. 1 may be implemented, in whole or in part, at a different location thereof. In general, any single component of the example of FIG. 1 may be executed using two or more components which each perform a corresponding subset of functionalities of the singular, illustrated components. Similarly, but conversely, any two or more of the components of FIG. 1 may be executed using a single component.
FIG. 2 is a flowchart 200 illustrating example operations of the system 100 of FIG. 1. In the example of FIG. 2, operations 202-206 are illustrated as separate, sequential operations. However, it may be appreciated that additional or alternative implementations, the operations 202-206 may be performed in a partially or completely overlapping or parallel manner, and/or may be implemented in a nested, iterative, or looped fashion. Moreover, additional or alternative operations may be included, while one or more operations may be deleted.
In the example of FIG. 2, an access request for access to application server resources of an application server may be received (202). For example, the request handler 122A, 122B may receive such an access request with respect to the application 116 of the application server 112, and/or with respect to the various ports 114A, 114B associated therewith. For example, the probe scanner 126 may receive a port request from the client computer 104 for access to the closed 114B. Similarly, the password system 128 may receive a false username/password from the client computer 104. Still further, the request handler 122B may receive an access request with respect to the application 116 which is part of a directory traversal attack, client-side scripting attack, or SQL injection attack.
The access request may be determined to be unauthorized (204). For example, the request handlers 122A, 122B, or components thereof, may consult with the knowledge base 106 to determine that a given access request is unauthorized. For example, the probe scanner 126 may consult the knowledge base 106 to determine that the requested port (e.g., port 114B), is open only for purposes of deceiving unauthorized users. Similarly, the password system 128 may operate in conjunction with the knowledge base 106 and the associated support tools/plug-ins 118 which may provide information useful in identifying receipt of false passwords. Still further, the request handler 122B at the application 116 may determine that the access request is associated with a directory traversal attack, client-side scripting attack, or SQL injection attack, in conjunction with the deceiver library agent 130.
A false positive response including apparent access to the application server resources may be provided (206). For example, as described, the response manager 124A, 124B may be configured to route the unauthorized access request and subsequent communications from the client computer 104 to the decoy server 108. As described, in conjunction with any of the port scanning attacks, password cracking attacks, and various application-level attacks, the decoy server 108 may be configured to deceive the operator of the client computer 104 into believing that he or she has access to the desired application resources. Consequently, as described, the logging engine 110 may be configured to track and monitor interactions of the operator of the client computer 104 with the decoy server 108, so as to assist in future deterrence of the same or future attackers, or for instituting legal or other action against the operator of the client computer 104.
FIG. 3 is a flowchart 300 illustrating example operations associated with configuring the system 100 of FIG. 1. Thus, the example of FIG. 3 illustrates actions which might be taken by an operator or administrator of the deception manager 102, the application server, and/or various other components of the system 100 in communication with the client computer 104.
In the example of FIG. 3, false open ports may be configured (302). For example, as described, the port 114B, which is not desired or needed for actual, authorized network communications, may nonetheless be designated as open for purposes of deceiving the operator of the client computer 104. As referenced above, a number of available ports associated with the application server 112 may range, for example, in the hundreds or thousands. Consequently, it may be desirable to determine a number or percentage of closed ports to be designated as open. For example, during legitimate operations with the application server 112, it may occur that only a small number of available ports are desired for the authorized operations of the application server 112. Then, an operator or administrator of the system 100 may decide a number or percentage of the remaining ports to be designated as being open.
In this regard, inasmuch as it may be appreciated that the goal of the deception manager 102 is to deceive the operator of the client computer 104 with respect to mimicking of the application server 112 by the decoy server 108. Therefore, it may not be desirable to designate all closed ports as being open, since, or to the extent that it is unusual to open all ports in conjunction with operations of the application server 112. Rather, the number of ports to be left open might be selected based on a desire to flood the operator of the client computer 104 with erroneous results, while at the same time not alerting the operator of the client computer 104 to the presence of such deception by simply opening all available ports.
False passwords may be configured (304). For example, as described above, the knowledge base 106 may interact with the support tools/plug-ins 118 to determine the types of passwords which might be selected by the operator of the client computer 104 in attempting to gain access to the application 116. In additional or alternative examples, the password system 128 may be configured to generate false passwords which are related to, or similar to, actual passwords of authorized users.
Additionally, it may occur that network administrators and other users of the application 116 may be prone to use certain standard passwords, for the sake of convenience, but at the cost of potentially providing access to attackers such as the operator of the client computer 104. For example, many administrators might utilize a word such as “administrator” or “password” for use as a password. Consequently, the password manager 128 may be configured to receive access requests from the operator of the client computer 104 in conjunction with such standard passwords, used in the example by the password manager 128 as false passwords designed to deceive the operator of the client computer 104 into interacting harmlessly with the decoy server 108. In order to avoid denying access to legitimate users, however, the password manager 128 may consult the knowledge base 106 or other appropriate resource in order to consider the possibility that such standard passwords have been utilized by an authorized user (i.e., even in cases where these passwords have been stored as potential false passwords). In such cases, the password manager 128 may consider the received password to be legitimate for purposes of granting the immediate access request, but may instruct the request handler 122 b of the application 116 to more carefully inspect subsequent application-related requests for potential unauthorized activity.
The deceiver library agent 130 may be configured for each application (306). That is, as referenced above, the request handler 122B, the response manager 124B, and the deceiver library agent 130 may be desired or required to be implemented in the context of the corresponding specific application. For example, such implementations may be desired or necessary when using otherwise conventional tools to detect the types of attacks referenced above.
The knowledge base 106 may be configured to provide a desired response (308). For example, as referenced above, the response manager 124 may be configured to consult the knowledge base 106 in order to determine a desired response in addition or alternative to the rerouting of communications of the operator of the client computer 104 to the decoy server 108. For example, the knowledge base 106 may be configured to designate a false positive response on the part of the deception manager 102 including a return message to the operator of a client computer 104 that access has been granted but delayed due to certain specified or un-specified reasons. In other words, the knowledge base 106 may be configured to cause the response manager 124A to provide a false positive response in addition or alternative to rerouting of the unauthorized access requests and associated communications to the decoy server 108. As referenced above with respect to FIG. 1, the plug-in/support tools 118 may be used by the knowledge base 106 to maintain current, up-to-date techniques for monitoring access requests and responding thereto.
The deception manager may be configured to access the knowledge base (310). For example, the request handler 122A and the response manager 124A may be configured to utilize one or more appropriate application programming interfaces (APIs) to access the knowledge base 106. The decoy server 108 may be configured to implement a desired response (312). For example, as described, the decoy server 108 may be configured to mimic the application 116 or other desired application resource. Consequently, the experience of the operator of a client computer 104 may be entirely consistent with an experience of interacting directly with the application 116.
As a result, any illicit, illegal, or other undesired behavior may be observed in the context of the decoy server 108. Of course, in example implementations, the decoy server 108 may be configured to provide various inconveniences to the operator of a client computer 104 in illegal or otherwise improper communications with the decoy server 108. Thus, the decoy server 108 need not mimic the application 116 exactly, but, rather, may be configured to act in ways which inconvenience the operator of the client computer 104, and/or which encourage the operator of the client computer 104 to continue interacting with the decoy server 108, so that the logging engine 110 may execute its desired purpose.
FIG. 4 is a flowchart 400 illustrating example executions of the system 100 of FIG. 1. In the example of FIG. 4, a port access request may be received (402). For example, the probe scanner 126 may receive a request from the client computer 104 for either the port 114A or the port 114B. For the case where the access request is, with respect to the port 114B, the probe scanner 126 may determine that the access request is for a falsely or deceptively open port, and may therefore route the request and subsequent communications from the client computer 104 to the decoy server 108 (422). Otherwise, if the access request is with respect to the legitimately open port 114A, then the client computer 104 may be provided with access to the application 116 (408).
Similarly, the request handler 122A, e.g., the password system 128, may receive a request for access to the application 116 or other network resources (410). The password system 128 may access the knowledge base 106 (412), in order to judge a legitimacy of the access request. If permitted (413), application access may be granted. Otherwise (413), if the application is protected by the password system 128 (410), then upon receipt of a username/password combination (414), the password system 128 may determine whether the received password represents a false password (416).
If so, the password system 128 may route the access request and subsequent communications from the client computer 104 to the decoy server 108 (422). Otherwise, as referenced above, it may be difficult for the request handler 122A, even in conjunction with the knowledge base 106, to determine whether application-specific requests are legitimate or not. Consequently, as described above, the request handler 122A may provide initial access to the application 116 (408), while at the same time ensuring operations of the request handler 122B and the deceiver library agent 130 with respect to the access request.
Specifically, the request handler 122B may receive the access request and access the deceiver library agent 130 (418), so as to thereby determine whether the access request is unauthorized (420). If no such determination is made, then application access may continue to be provided (408).
Otherwise, as described, it may occur that the request handler 122B, in conjunction with the deceiver library agent 130, may determine that the access request is associated with one or more types of attacks referenced above, e.g., directory traversal attacks, client-side scripting attacks, or SQL injection attacks. In such cases, the response manager 124B may route current and future access requests with respect to the application 116 back to the response manager 124A at the deception manager 102, for routing thereof to the decoy server 108 (422).
Subsequently, the preconfigured response plan for any of the above-referenced types of attacks may be implemented (424). For example, the logging engine 110 may be configured to monitor and track interactions between the client computer 104 and the decoy server 108, and to thereby update log-in data 120 accordingly. As also described, various other actions, including legal actions and/or warnings or other messages to the client computer 104, also may be implemented. In some implementations, the logging data 120 may be utilized to update the knowledge base 106 (426), so as to thereby maintain the knowledge base 106 using current, up-to-date information regarding existing attack techniques.
Implementations of the various techniques described herein may be implemented in digital electronic circuitry, or in computer hardware, firmware, software, or in combinations of them. Implementations may implemented as a computer program product, i.e., a computer program tangibly embodied in an information carrier, e.g., in a machine-readable storage device or in a propagated signal, for execution by, or to control the operation of, data processing apparatus, e.g., a programmable processor, a computer, or multiple computers. A computer program, such as the computer program(s) described above, can be written in any form of programming language, including compiled or interpreted languages, and can be deployed in any form, including as a stand-alone program or as a module, component, subroutine, or other unit suitable for use in a computing environment. A computer program can be deployed to be executed on one computer or on multiple computers at one site or distributed across multiple sites and interconnected by a communication network.
Method steps may be performed by one or more programmable processors executing a computer program to perform functions by operating on input data and generating output. Method steps also may be performed by, and an apparatus may be implemented as, special purpose logic circuitry, e.g., an FPGA (field programmable gate array) or an ASIC (application-specific integrated circuit).
Processors suitable for the execution of a computer program include, by way of example, both general and special purpose microprocessors, and any one or more processors of any kind of digital computer. Generally, a processor will receive instructions and data from a read-only memory or a random access memory or both. Elements of a computer may include at least one processor for executing instructions and one or more memory devices for storing instructions and data. Generally, a computer also may include, or be operatively coupled to receive data from or transfer data to, or both, one or more mass storage devices for storing data, e.g., magnetic, magneto-optical disks, or optical disks. Information carriers suitable for embodying computer program instructions and data include all forms of non-volatile memory, including by way of example semiconductor memory devices, e.g., EPROM, EEPROM, and flash memory devices; magnetic disks, e.g., internal hard disks or removable disks; magneto-optical disks; and CD-ROM and DVD-ROM disks. The processor and the memory may be supplemented by, or incorporated in special purpose logic circuitry.
To provide for interaction with a user, implementations may be implemented on a computer having a display device, e.g., a cathode ray tube (CRT) or liquid crystal display (LCD) monitor, for displaying information to the user and a keyboard and a pointing device, e.g., a mouse or a trackball, by which the user can provide input to the computer. Other kinds of devices can be used to provide for interaction with a user as well; for example, feedback provided to the user can be any form of sensory feedback, e.g., visual feedback, auditory feedback, or tactile feedback; and input from the user can be received in any form, including acoustic, speech, or tactile input.
Implementations may be implemented in a computing system that includes a back-end component, e.g., as a data server, or that includes a middleware component, e.g., an application server, or that includes a front-end component, e.g., a client computer having a graphical user interface or a Web browser through which a user can interact with an implementation, or any combination of such back-end, middleware, or front-end components. Components may be interconnected by any form or medium of digital data communication, e.g., a communication network. Examples of communication networks include a local area network (LAN) and a wide area network (WAN), e.g., the Internet.
While certain features of the described implementations have been illustrated as described herein, many modifications, substitutions, changes and equivalents will now occur to those skilled in the art. It is, therefore, to be understood that the appended claims are intended to cover all such modifications and changes as fall within the scope of the embodiments.

Claims (14)

What is claimed is:
1. A computer system including instructions recorded on a non-transitory computer-readable medium and readable by at least one processor, the system comprising:
a deception manager configured to cause the at least one processor to detect an attack on an application server, the deception manager being implemented at a firewall associated with the application server, the deception manager including,
a first request handler configured to receive an access request for access to application server resources of the application server from a computer, the access request being related to a port among a plurality of available ports associated with the application server, the plurality of available ports including at least one port configured as an unauthorized port and at least one port configured as an authorized port, the first request handler configured to determine whether the access request is unauthorized including determining whether the port associated with the access request is the unauthorized port or the authorized port using a knowledge base;
a first response manager configured to provide a false positive response to the computer if the port associated with the access request is determined as the unauthorized port, the false positive response indicating that the unauthorized port is open for legitimate communication to the application server, the first response manager configured to re-route access to the application server resources to a decoy server configured to mimic an appearance and function of the requested application server resources;
a deceiver library agent configured to detect an application-level attack on an application associated with the application server, the deceiver library agent being implemented on the application server, the deceiver library agent including,
a second request handler configured to subsequently determine whether the access request is unauthorized if the first request handler determines that the access request is authorized including determining whether the access request is associated with at least one application-level attack, the at least one application-level attack including a directory traversal attack, a client-side scripting attack, or a structured query language (SQL) attack, the access request including input data corresponding to the at least one application-level attack;
a second response manager configured to instruct the first request handler to re-route the access request and subsequent communications from the computer to the decoy server when the access request is determined an unauthorized by the second request handler such that input validation or sanitization techniques are not applied to the input data; and
a logging engine configured to monitor and store interactions of the computer with the decoy server in a logging database, the logging engine configured to update the knowledge base based on the stored interactions in the logging database such that an updated version of the knowledge base is maintained for use in determining whether a subsequent access request is unauthorized.
2. The computer system of claim 1, wherein the second response manager is configured to transmit a false positive providing a response code in response to a directory traversal of the directory traversal attack.
3. The computer system of claim 1, wherein the first request handler and the first response manager are configured to utilize one or more application programming interfaces (APIs) to access the knowledge base.
4. The computer system of claim 1, further comprising:
at least one support tool configured to update the knowledge base such that the knowledge base includes up-to-date information regarding existing attack techniques.
5. The computer system of claim 1, wherein the first request handler is also configured to store a plurality of false passwords in the knowledge base, the first request handler being configured to determine whether the access request is unauthorized by determining that a password associated with the access request corresponds to at least one of the plurality of false passwords stored in the knowledge base, the first response manager being configured to transmit a false positive to the computer and re-route the access request to the decoy server when the first request handler determines that the password associated with the access request corresponds to the at least one false password.
6. The computer system of claim 5, further comprising:
at least one support tool configured to generate a plurality of potential false passwords to gain access to the application and update the knowledge base with one or more of the potential false passwords.
7. The computer system of claim 1, wherein the deception manager is implemented at a common entry point for all access requests and other communications from external network devices, the external network devices including the computer.
8. The computer system of claim 1, wherein the at least one port configured as the unauthorized port includes a plurality of open unauthorized ports, and the at least one port configured as the authorized port includes a plurality of open authorized ports, the plurality of open unauthorized ports representing false positives.
9. The computer system of claim 1, wherein the first response manager is configured to execute as a reverse proxy to re-route the unauthorized access request to the decoy server.
10. A computer-implemented method for causing at least one processor to execute instructions recorded on a non-transitory computer-readable medium, the method comprising:
detecting, by a deception manager, an attack on an application server, the deception manager being implemented at a firewall associated with the application server, the detecting including,
receiving, by a first request handler, an access request for access to application server resources of the application server from a computer, the access request being related to a port among a plurality of available ports associated with the application server, the plurality of available ports including at least one port configured as an unauthorized port and at least one port configured as an authorized port;
determining, by the first request handler, whether the access request is unauthorized using a knowledge base including determining whether the port associated with the access request is the unauthorized port or the authorized port using the knowledge base;
providing, by a first response manager, a false positive response to the computer if the port associated with the access request is the unauthorized port, the false positive response indicating that the unauthorized port is open for legitimate communication to the application server;
re-routing, by the first response manager, access to the application server to a decoy server configured to mimic an appearance and function of the requested application server resources;
detecting, by a deceiver library agent, an application-level attack on an application associated with the application server, the deceiver library agent being implemented on the application server, the detecting including,
determining, by the deceiver library agent, whether the access request is unauthorized if the first request handler determines that the access request is authorized including determining whether the access request is associated with at least one application-level attack, the at least one application-level attack including a directory traversal attack, a client-side scripting attack, or a structured query language (SQL) attack, the access request including input data corresponding to the at least one application-level attack;
instructing, by the deceiver library agent, the first request handler to re-route the access request and subsequent communications from the computer to the decoy server when the access request is determined as unauthorized by the deceiver library agent such that input validation or sanitization techniques are not applied to the input data;
monitoring and storing interactions of the computer with the decoy server in a logging database; and
updating the knowledge base based on the stored interactions in the logging database such that an updated version of the knowledge base is maintained for use in determining whether a subsequent access request is unauthorized.
11. The computer-implemented method of claim 10, further comprising:
storing a plurality of false passwords in the knowledge base;
determining, by the first request handler, whether the access request is unauthorized by determining that a password associated with the access request corresponds to at least one of the plurality of false passwords stored in the knowledge base; and
transmitting a false positive to the computer and re-routing the access request to the decoy server when the password associated with the access request is the at least one false password.
12. A computer program product, the computer program product being tangibly embodied on a non-transitory computer-readable medium and comprising instructions that, when executed, are configured to cause at least one processor to:
detect, by a deception manager, an attack on an application server, the deception manager being implemented at a firewall associated with the application server, the detect including,
receive, by a first request handler, an access request for access to application server resources of the application server from a computer, the access request being related to a port among a plurality of available ports associated with the application server, the plurality of available ports including at least one port configured as an unauthorized port and at least one port configured as an authorized port;
determine, by the first request handler, whether the access request is unauthorized using a knowledge base including determining whether the port associated with the access request is the unauthorized port or the authorized port using the knowledge base; and
provide, by a first response manager, a false positive response to the computer if the port associated with the access request is the unauthorized port, the false positive response indicating that the unauthorized port is open for legitimate communication to the application server;
re-route, by the first response manager, access to the application server to a decoy server configured to mimic an appearance and function of the requested application server resources;
detect, by a deceiver library agent, an application-level attack on an application associated with the application server, the deceiver library agent being implemented on the application server, the detect including,
determine, by the deceiver library agent, whether the access request is unauthorized if the first request handler determines that the access request is authorized including determine whether the access request is associated with at least one application-level attack, the at least one application-level attack including a directory traversal attack, a client-side scripting attack, or a structured query language (SQL) attack, the access request including input data corresponding to the at least one application-level attack;
instruct, by the deceiver library agent, the first request handler to re-route the access request and subsequent communications from the computer to the decoy server when the access request is determined an unauthorized by the deceiver library agent such that input validation or sanitization techniques are not applied to the input data;
monitor and store interactions of the computer with the decoy server in a logging database; and
update the knowledge base based on the stored interactions in the logging database such that an updated version of the knowledge base is maintained for use in determining whether a subsequent access request is unauthorized.
13. The computer program product of claim 12, further comprising:
store a plurality of false passwords in the knowledge base;
determine, by the first request handler, whether the access request is unauthorized by determining that a password associated with the access request corresponds to at least one of the plurality of false passwords stored in the knowledge base;
transmit a false positive to the computer and re-route the access request to the decoy server when the password associated with the access request is the at least one false password.
14. The computer program product of claim 13, wherein the instructions, when executed, are configured to cause the at least one processor to implement at least one support tool, the at least one support tool configured to generate a plurality of potential false passwords to gain access to the application and update the knowledge base with one or more of the potential false passwords.
US13/331,972 2011-12-20 2011-12-20 Deception-based network security using false positive responses to unauthorized access requests Active 2031-12-27 US8925080B2 (en)

Priority Applications (3)

Application Number Priority Date Filing Date Title
US13/331,972 US8925080B2 (en) 2011-12-20 2011-12-20 Deception-based network security using false positive responses to unauthorized access requests
EP12008286.2A EP2608481B1 (en) 2011-12-20 2012-12-12 Deception-based network security using false positive responses to unauthorized access requests
CN201210557173.4A CN103179106B (en) 2011-12-20 2012-12-20 Access request to unauthorized uses the network security of false positive response

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
US13/331,972 US8925080B2 (en) 2011-12-20 2011-12-20 Deception-based network security using false positive responses to unauthorized access requests

Publications (2)

Publication Number Publication Date
US20130160079A1 US20130160079A1 (en) 2013-06-20
US8925080B2 true US8925080B2 (en) 2014-12-30

Family

ID=47562915

Family Applications (1)

Application Number Title Priority Date Filing Date
US13/331,972 Active 2031-12-27 US8925080B2 (en) 2011-12-20 2011-12-20 Deception-based network security using false positive responses to unauthorized access requests

Country Status (3)

Country Link
US (1) US8925080B2 (en)
EP (1) EP2608481B1 (en)
CN (1) CN103179106B (en)

Cited By (15)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20160028764A1 (en) * 2014-07-23 2016-01-28 Cisco Technology, Inc. Stealth mitigation for simulating the success of an attack
US20170134421A1 (en) * 2015-06-08 2017-05-11 Illusive Networks Ltd. Managing dynamic deceptive environments
US20170302658A1 (en) * 2016-04-19 2017-10-19 Kuang-Yao Lee High-safety user multi-authentication system and method
US9894090B2 (en) 2015-07-14 2018-02-13 Sap Se Penetration test attack tree generator
US20190089737A1 (en) * 2015-06-08 2019-03-21 Illusive Networks Ltd. Detecting attackers who target containerized clusters
US10333977B1 (en) 2018-08-23 2019-06-25 Illusive Networks Ltd. Deceiving an attacker who is harvesting credentials
US10333976B1 (en) 2018-07-23 2019-06-25 Illusive Networks Ltd. Open source intelligence deceptions
US10382483B1 (en) 2018-08-02 2019-08-13 Illusive Networks Ltd. User-customized deceptions and their deployment in networks
US10404747B1 (en) 2018-07-24 2019-09-03 Illusive Networks Ltd. Detecting malicious activity by using endemic network hosts as decoys
US10432665B1 (en) 2018-09-03 2019-10-01 Illusive Networks Ltd. Creating, managing and deploying deceptions on mobile devices
US10476895B2 (en) 2016-09-12 2019-11-12 Sap Se Intrusion detection and response system
US20210377307A1 (en) * 2020-05-27 2021-12-02 Sap Se Reinforcement learning for application responses using deception technology
US11256800B2 (en) 2017-12-05 2022-02-22 Wistron Corporation Electronic apparatus and unlocking method thereof
US20220229831A1 (en) * 2021-01-12 2022-07-21 Sap Se Input validation api using machine learning and database input validation framework
US11870809B2 (en) * 2016-10-14 2024-01-09 Akamai Technologies, Inc. Systems and methods for reducing the number of open ports on a host computer

Families Citing this family (28)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10713356B2 (en) * 2013-03-04 2020-07-14 Crowdstrike, Inc. Deception-based responses to security attacks
US9191384B2 (en) * 2013-06-26 2015-11-17 Vmware, Inc. Maintaining privacy in a multi-tenant cloud service participating in a federated identity platform
US9230092B1 (en) * 2013-09-25 2016-01-05 Emc Corporation Methods and apparatus for obscuring a valid password in a set of passwords in a password-hardening system
US9350748B1 (en) * 2013-12-16 2016-05-24 Amazon Technologies, Inc. Countering service enumeration through optimistic response
US10298598B1 (en) * 2013-12-16 2019-05-21 Amazon Technologies, Inc. Countering service enumeration through imposter-driven response
US9552487B2 (en) 2015-01-14 2017-01-24 Viesoft, Inc. Price mining prevention systems and related methods
US10692102B2 (en) 2013-12-31 2020-06-23 Viesoft, Inc. Price mining and product re-pricing data processing systems and methods
US10389752B2 (en) 2015-01-14 2019-08-20 Viesoft, Inc. Price mining prevention systems and related methods
US9372052B2 (en) * 2014-07-09 2016-06-21 The United States Of America, As Represented By The Secretary Of The Navy System and method for decoy management
US10193924B2 (en) * 2014-09-17 2019-01-29 Acalvio Technologies, Inc. Network intrusion diversion using a software defined network
US9350749B2 (en) 2014-10-06 2016-05-24 Sap Se Application attack monitoring
US9270670B1 (en) * 2014-10-10 2016-02-23 Joseph Fitzgerald Systems and methods for providing a covert password manager
US10038674B2 (en) 2014-10-17 2018-07-31 Sap Se Secure mobile data sharing
US10748175B2 (en) 2015-01-14 2020-08-18 Viesoft, Inc. Price mining prevention and dynamic online marketing campaign adjustment data processing systems and methods
CN105636036A (en) * 2015-05-29 2016-06-01 宇龙计算机通信科技(深圳)有限公司 Wi-Fi connection control method, terminal and Wi-Fi device
US10425445B2 (en) * 2016-12-15 2019-09-24 Interwise Ltd Deception using screen capture
US11240268B1 (en) * 2017-09-27 2022-02-01 EMC IP Holding Company LLC Dynamic honeypots for computer program execution environments
FR3074935B1 (en) * 2017-12-07 2019-12-20 Thales METHOD FOR DETECTION OF A COMPUTER ATTACK AGAINST A DATABASE, COMPUTER PROGRAM PRODUCT AND DETECTION SYSTEM THEREOF
CN109543404B (en) * 2018-12-03 2019-10-25 北京芯盾时代科技有限公司 A kind of methods of risk assessment and device of access behavior
US11425166B2 (en) 2019-08-27 2022-08-23 Sap Se Identifier-based application security
US11546378B2 (en) 2019-08-27 2023-01-03 Sap Se Smart exposure of data to known attacker sessions
US11010385B2 (en) 2019-10-10 2021-05-18 Sap Se Data security through query refinement
US11803658B1 (en) * 2019-10-29 2023-10-31 United Services Automobile Association (Usaa) Data access control
US11429716B2 (en) 2019-11-26 2022-08-30 Sap Se Collaborative application security
US11539742B2 (en) 2019-11-26 2022-12-27 Sap Se Application security through multi-factor fingerprinting
US20220103545A1 (en) * 2020-09-28 2022-03-31 Sap Se Application security through deceptive authentication
US11729213B2 (en) * 2020-10-05 2023-08-15 Sap Se Automatic generation of deceptive API endpoints
US20230281069A1 (en) * 2022-02-24 2023-09-07 Nvidia Corporation Health monitoring in secure data centers

Citations (17)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6038315A (en) 1997-03-17 2000-03-14 The Regents Of The University Of California Method and system for normalizing biometric variations to authenticate users from a public database and that ensures individual biometric data privacy
US6151593A (en) 1997-07-14 2000-11-21 Postech Foundation Apparatus for authenticating an individual based on a typing pattern by using a neural network system
US20020046351A1 (en) * 2000-09-29 2002-04-18 Keisuke Takemori Intrusion preventing system
US20030005287A1 (en) * 1999-10-05 2003-01-02 Authoriszor, Inc. System and method for extensible positive client identification
US20040168069A1 (en) * 2003-02-26 2004-08-26 Knight Erik A. Administering a security system
US20040255155A1 (en) 2003-06-12 2004-12-16 International Business Machines Corporation Alert passwords for detecting password attacks on systems
US20050204157A1 (en) * 2004-03-15 2005-09-15 Johnson Ted C. Method and apparatus for effecting secure communications
US20060059550A1 (en) 2004-09-13 2006-03-16 Cisco Technology, Inc. Stateful application firewall
US20060137012A1 (en) 2004-12-16 2006-06-22 Aaron Jeffrey A Methods and systems for deceptively trapping electronic worms
US20060218408A1 (en) * 2005-03-22 2006-09-28 Serpa Michael L System and method for user authentication employing portable handheld electronic devices
US7161468B2 (en) 2003-01-21 2007-01-09 Samsung Electronicss Co., Ltd. User authentication method and apparatus
US7219368B2 (en) 1999-02-11 2007-05-15 Rsa Security Inc. Robust visual passwords
US7549574B2 (en) 2005-10-11 2009-06-23 First Data Corporation Emergency services notification from an ATM systems and methods
US20090328199A1 (en) 2003-07-17 2009-12-31 Michael Gilfix Apparatus for Detecting Password Attacks Using Modeling Techniques
US7748040B2 (en) 2004-07-12 2010-06-29 Architecture Technology Corporation Attack correlation using marked information
US7980464B1 (en) 2008-12-23 2011-07-19 Bank Of America Corporation Bank card fraud protection system
US20120042364A1 (en) 2010-08-16 2012-02-16 Sap Ag Password protection techniques using false passwords

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1322712C (en) * 2004-05-28 2007-06-20 南京邮电学院 Method for realizing chaff network data flow heavy orientation
US20060075093A1 (en) * 2004-10-05 2006-04-06 Enterasys Networks, Inc. Using flow metric events to control network operation
CN1992720A (en) * 2005-06-10 2007-07-04 美国电报电话公司 Adaptive defense against various network attacks
CN1889573A (en) * 2006-07-31 2007-01-03 华为技术有限公司 Active decoy method and system
CN101567887B (en) * 2008-12-25 2012-05-23 中国人民解放军总参谋部第五十四研究所 Vulnerability simulation overload honeypot method

Patent Citations (18)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6038315A (en) 1997-03-17 2000-03-14 The Regents Of The University Of California Method and system for normalizing biometric variations to authenticate users from a public database and that ensures individual biometric data privacy
US6151593A (en) 1997-07-14 2000-11-21 Postech Foundation Apparatus for authenticating an individual based on a typing pattern by using a neural network system
US7219368B2 (en) 1999-02-11 2007-05-15 Rsa Security Inc. Robust visual passwords
US20030005287A1 (en) * 1999-10-05 2003-01-02 Authoriszor, Inc. System and method for extensible positive client identification
US20020046351A1 (en) * 2000-09-29 2002-04-18 Keisuke Takemori Intrusion preventing system
US7161468B2 (en) 2003-01-21 2007-01-09 Samsung Electronicss Co., Ltd. User authentication method and apparatus
US20040168069A1 (en) * 2003-02-26 2004-08-26 Knight Erik A. Administering a security system
US20040255155A1 (en) 2003-06-12 2004-12-16 International Business Machines Corporation Alert passwords for detecting password attacks on systems
US20090328199A1 (en) 2003-07-17 2009-12-31 Michael Gilfix Apparatus for Detecting Password Attacks Using Modeling Techniques
US20050204157A1 (en) * 2004-03-15 2005-09-15 Johnson Ted C. Method and apparatus for effecting secure communications
US7748040B2 (en) 2004-07-12 2010-06-29 Architecture Technology Corporation Attack correlation using marked information
US20060059550A1 (en) 2004-09-13 2006-03-16 Cisco Technology, Inc. Stateful application firewall
US20060137012A1 (en) 2004-12-16 2006-06-22 Aaron Jeffrey A Methods and systems for deceptively trapping electronic worms
US20060218408A1 (en) * 2005-03-22 2006-09-28 Serpa Michael L System and method for user authentication employing portable handheld electronic devices
US7549574B2 (en) 2005-10-11 2009-06-23 First Data Corporation Emergency services notification from an ATM systems and methods
US7980464B1 (en) 2008-12-23 2011-07-19 Bank Of America Corporation Bank card fraud protection system
US20120042364A1 (en) 2010-08-16 2012-02-16 Sap Ag Password protection techniques using false passwords
US8468598B2 (en) 2010-08-16 2013-06-18 Sap Ag Password protection techniques using false passwords

Non-Patent Citations (13)

* Cited by examiner, † Cited by third party
Title
Ateniese, et al, "Improved Proxy Re-encryption Schemes with Applications to Secure Distributed Storage", ACM Transactions on Information and System Security, vol. 9, No. 1, Feb. 2006, 30 pages.
Ateniese, et al, "Untraceable RFID Tags via Insubvertible Encryption", Proceedings of the 12th ACM Conference on Computer and Communications Securty, Nov. 2005, 10 pages.
Extended European Search Report for EP Application No. 09290182.6, mailed May 25, 2010, 9 pages.
Extended European Search Report for EP Application No. 12008286.2, filed Apr. 8, 2013, 8 pages.
Juels, et al, "Unidirectional Key Distribution Across Time and Space with Applications to RFID Security", 17th USENIX Security Symposium, Aug. 2008, 16 pages.
Kerschbaum, et al, "RFID-Based Supply Chain Partner Authentication and Key Agreement", Second ACM Conference on Wireless Network Security, Mar. 2009, 10 pages.
Lee, et al, "Detecting and Defending Against Web-Server Fingerprinting", Proceedings of the 18th Annual Computer Security Applications Conference (ACSAC'02), Dec. 9, 2002, 10 pages.
Liang, et al, "RFID System Security Using Identity-Based Cryptography", Ubiquitous Intelligence and Computing, Jun. 2008, 8 pages.
Non-Final Office Action for U.S. Appl. No. 12/857,066, mailed Jul. 25, 2012, 16 pages.
Non-Final Office Action Response for U.S. Appl. No. 12/857,066, filed Dec. 19, 2012, 13 pages.
Notice of Allowance for U.S. Appl. No. 12/857,066, mailed Mar. 6, 2013, 8 pages.
Saito, et al, "Enhancing Privacy of Universal Re-encryption Scheme for RFID Tags", LNCS, vol. 3207, Jul. 2004, 12 pages.
Weiler, "Honeypots for Distributed Denial of Service Attacks", Proceedings of the 11th International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprises (WETICE '02), Jun. 10, 2002, 6 pages.

Cited By (33)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20160028764A1 (en) * 2014-07-23 2016-01-28 Cisco Technology, Inc. Stealth mitigation for simulating the success of an attack
US9497215B2 (en) * 2014-07-23 2016-11-15 Cisco Technology, Inc. Stealth mitigation for simulating the success of an attack
US9742805B2 (en) * 2015-06-08 2017-08-22 Illusive Networks Ltd. Managing dynamic deceptive environments
US20180027017A1 (en) * 2015-06-08 2018-01-25 Illusive Networks Ltd. System and method for creation, deployment and management of augmented attacker map
US10291650B2 (en) 2015-06-08 2019-05-14 Illusive Networks Ltd. Automatically generating network resource groups and assigning customized decoy policies thereto
US9787715B2 (en) 2015-06-08 2017-10-10 Iilusve Networks Ltd. System and method for creation, deployment and management of augmented attacker map
US9794283B2 (en) 2015-06-08 2017-10-17 Illusive Networks Ltd. Predicting and preventing an attacker's next actions in a breached network
US10623442B2 (en) * 2015-06-08 2020-04-14 Illusive Networks Ltd. Multi-factor deception management and detection for malicious actions in a computer network
US20170134421A1 (en) * 2015-06-08 2017-05-11 Illusive Networks Ltd. Managing dynamic deceptive environments
US20170230384A1 (en) * 2015-06-08 2017-08-10 Illusive Networks Ltd. Multi-factor deception management and detection for malicious actions in a computer network
US20190089737A1 (en) * 2015-06-08 2019-03-21 Illusive Networks Ltd. Detecting attackers who target containerized clusters
US9954878B2 (en) * 2015-06-08 2018-04-24 Illusive Networks Ltd. Multi-factor deception management and detection for malicious actions in a computer network
US9985989B2 (en) 2015-06-08 2018-05-29 Illusive Networks Ltd. Managing dynamic deceptive environments
US10382484B2 (en) * 2015-06-08 2019-08-13 Illusive Networks Ltd. Detecting attackers who target containerized clusters
US10097577B2 (en) 2015-06-08 2018-10-09 Illusive Networks, Ltd. Predicting and preventing an attacker's next actions in a breached network
US10142367B2 (en) * 2015-06-08 2018-11-27 Illusive Networks Ltd. System and method for creation, deployment and management of augmented attacker map
US9894090B2 (en) 2015-07-14 2018-02-13 Sap Se Penetration test attack tree generator
CN107306270A (en) * 2016-04-19 2017-10-31 李光耀 High security user's multiple authentication system and method
US9992193B2 (en) * 2016-04-19 2018-06-05 Kuang-Yao Lee High-safety user multi-authentication system and method
US20170302658A1 (en) * 2016-04-19 2017-10-19 Kuang-Yao Lee High-safety user multi-authentication system and method
CN107306270B (en) * 2016-04-19 2019-12-24 李光耀 High-security user multiple authentication system and method
US10476895B2 (en) 2016-09-12 2019-11-12 Sap Se Intrusion detection and response system
US11870809B2 (en) * 2016-10-14 2024-01-09 Akamai Technologies, Inc. Systems and methods for reducing the number of open ports on a host computer
US11256800B2 (en) 2017-12-05 2022-02-22 Wistron Corporation Electronic apparatus and unlocking method thereof
US10333976B1 (en) 2018-07-23 2019-06-25 Illusive Networks Ltd. Open source intelligence deceptions
US10404747B1 (en) 2018-07-24 2019-09-03 Illusive Networks Ltd. Detecting malicious activity by using endemic network hosts as decoys
US10382483B1 (en) 2018-08-02 2019-08-13 Illusive Networks Ltd. User-customized deceptions and their deployment in networks
US10333977B1 (en) 2018-08-23 2019-06-25 Illusive Networks Ltd. Deceiving an attacker who is harvesting credentials
US10432665B1 (en) 2018-09-03 2019-10-01 Illusive Networks Ltd. Creating, managing and deploying deceptions on mobile devices
US20210377307A1 (en) * 2020-05-27 2021-12-02 Sap Se Reinforcement learning for application responses using deception technology
US11483346B2 (en) * 2020-05-27 2022-10-25 Sap Se Reinforcement learning for application responses using deception technology
US20220229831A1 (en) * 2021-01-12 2022-07-21 Sap Se Input validation api using machine learning and database input validation framework
US11934393B2 (en) * 2021-01-12 2024-03-19 Sap Se Input validation API using machine learning and database input validation framework

Also Published As

Publication number Publication date
EP2608481A1 (en) 2013-06-26
EP2608481B1 (en) 2016-08-24
CN103179106A (en) 2013-06-26
CN103179106B (en) 2017-07-25
US20130160079A1 (en) 2013-06-20

Similar Documents

Publication Publication Date Title
US8925080B2 (en) Deception-based network security using false positive responses to unauthorized access requests
US11695800B2 (en) Deceiving attackers accessing network data
US10574698B1 (en) Configuration and deployment of decoy content over a network
US20190354709A1 (en) Enforcement of same origin policy for sensitive data
US9762543B2 (en) Using DNS communications to filter domain names
US8839442B2 (en) System and method for enabling remote registry service security audits
US11616812B2 (en) Deceiving attackers accessing active directory data
US20120255022A1 (en) Systems and methods for determining vulnerability to session stealing
Calzavara et al. Testing for integrity flaws in web sessions
Singh Review of e-commerce security challenges
Mirheidari et al. Web cache deception escalates!
US11729176B2 (en) Monitoring and preventing outbound network connections in runtime applications
Krasniqi et al. Vulnerability Assessment & Penetration Testing: Case study on web application security
US10819730B2 (en) Automatic user session profiling system for detecting malicious intent
Sheikh Certified Ethical Hacker (CEH) Preparation Guide
Jayaprakash et al. A Novel Framework For Detecting Subdomain State Against Takeover Attacks
Ackerman Modern Cybersecurity Practices: Exploring And Implementing Agile Cybersecurity Frameworks and Strategies for Your Organization
US11863586B1 (en) Inline package name based supply chain attack detection and prevention
Kothawade et al. Cloud Security: Penetration Testing of Application in Micro-service architecture and Vulnerability Assessment.
de Sousa Rodrigues An OSINT Approach to Automated Asset Discovery and Monitoring
Apostolos Penetration Testing in Computer Systems
Conde Ortiz Ethical Hacking Of An Industrial Control System
Borg et al. " What if someone steals it?" Hands-on evaluation of the software security work of a networked embedded system
Golinelli et al. Mind the CORS
Vasilakis Penetration testing in computer systems

Legal Events

Date Code Title Description
AS Assignment

Owner name: SAP AG, GERMANY

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:HEBERT, CEDRIC;REEL/FRAME:029526/0329

Effective date: 20111220

AS Assignment

Owner name: SAP SE, GERMANY

Free format text: CHANGE OF NAME;ASSIGNOR:SAP AG;REEL/FRAME:033625/0223

Effective date: 20140707

STCF Information on status: patent grant

Free format text: PATENTED CASE

MAFP Maintenance fee payment

Free format text: PAYMENT OF MAINTENANCE FEE, 4TH YEAR, LARGE ENTITY (ORIGINAL EVENT CODE: M1551)

Year of fee payment: 4

MAFP Maintenance fee payment

Free format text: PAYMENT OF MAINTENANCE FEE, 8TH YEAR, LARGE ENTITY (ORIGINAL EVENT CODE: M1552); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY

Year of fee payment: 8